Privacy
We at Grupo Brennand Energia are fully aware of the importance of privacy and security in relation to the personal data of our clients, contributors, suppliers, service providers, and other partners. Our Privacy Policy thus aims to outline the main guidelines regarding the processing of data by Grupo Brennand Energia. It is therefore important that you read this Policy outlining the purposes for which your personal data will be used and the efforts made to ensure that this is carried out in a
transparent manner in compliance with current legislation.
-
1. Background
1.1. On 14 August 2018, Brazil’s National Congress passed, and the President of the Republic duly signed Law No. 13,709, better known as the General Data Protection Law (LGPD). The LGPD follows the model established by the European Union’s General Data Protection Regulation (GDPR), which came into effect in Europe on 25 May 2018.
1.2. Generally speaking, the LGPD aims to guarantee protection and privacy of the general and sensitive personal data of natural persons, in addition to creating rules and guidelines for any operation for which they are used, including, but not restricted to, the collection, storage, use, reproduction and sharing of such data.
1.3. The LGPD classifies personal data as “information relating to an identified or identifiable natural person.” This includes, for example, social security number, identification number, address, age, next of kin, or any other item or items of personal information that could be used to identify a natural person.
1.4. Sensitive personal data, meanwhile, are defined as “personal data on a natural person’s racial or ethnic origin, religious beliefs, political opinions, membership of a trade union or religious, philosophical or political organization, health status, sex life or sexual orientation, and genetic or biometric data relating to a natural person”.
1.5. The LGPD applies to any operation involving the processing of data relating to natural persons, performed by a natural or legal person, public authority, agency or other body, irrespective of the means of processing, the country where the organization’s head office is located or the country in which the data are located, provided that: (i) the processing operation is carried out in Brazil; (ii) data processing is for the purpose of providing goods or services or processing data relating to individuals located in the country; and, (iii) that the personal data subject to such processing have been collected within the national territory of Brazil.
1.6. Some means of processing of data relating to natural persons are therefore not covered by the LGPD. These include those carried out exclusively for the purposes of work of a journalistic, artistic or academic nature, and information related exclusively to public security, national defense, state security and activities relating to the investigation and prosecution of criminal acts.
1.7. In view of this, it is important, before moving on to further details of our Privacy Policy, to provide some indication of the main concepts related to LGPD, so that a data subject can, in a clear and straightforward manner, gain comprehension of his or her rights and thus be able to exercise them at any point in time, without needing to have recourse to the dry and often difficult-to- understand terminology used by Brazilian legislators. -
2. Definitions
The National Data Protection Authority (ANPD) is the organization responsible for overseeing and providing guidance regarding the application of the LGPD and applying administrative sanctions in cases of violation of its provisions;
The need for a ‘legal basis for processing personal data’ means that, in order to process personal data, the controller and/or processor, as defined below, must provide evidence of one of the legal bases laid out in the LGPD, such as the consent of the data subject, compliance with legal and/or regulatory obligations, the existence of a contract between controller and data subject, among others;
‘Consent’ means any freely given, informed and unambiguous indication by way of which the data subject signifies agreement to the processing of personal data relating to said data subject;
The ‘controller’ means the natural or legal person, public authority, agency or any other body that determines the means and purposes of the processing of personal data;
‘Biometric data’ means any data relating to the physical and/or behavioral characteristics of a natural person that allow or confirm unique identification of that natural person, such as, for example, dactyloscopic data or facial images;
‘General personal data’ means any information relating to an identified or identifiable natural person, such as name, social security number, identification number, address, age, telephone number, bank data, next of kin, or any other item or items of personal information that might be used to identify a natural person;
‘Sensitive personal data’ means data relating to a natural person concerning racial or ethnic origin, religious beliefs, political opinions, membership of a trade union or organization of a religious, philosophical or political nature, health status, sex life or sexual orientation, or genetic or biometric data relating to a natural person;
The ‘personal data processing officer’ means the person assigned by the controller to act as a channel of communication between the controller, data subjects and the ANPD;
‘Purposes’ means the specified explicit lawful purposes for the processing of personal data, of which the data subject is fully cognizant, free of the possibility of further processing incompatible with these purposes;
Grupo Brennand Energia is a business group composed of subsidiary companies controlled by Brennand Energia S.A., which operate, directly or indirectly, in the field of the generation and sale of electrical energy by way of the exploitation of potential renewable energy sources in various regions of Brazil;
‘Freedom of access’ means the right of the data subject to access any information relating to the processing of his or her personal data, with the right to facilitated consultation free of charge regarding the nature and duration of such processing, and on the integrity of his or her personal data;
The ‘processor’ means the natural or legal person, public authority, agency or other body responsible for the processing of personal data on behalf of the controller;
‘Objection’ means the right of the data subject to refuse to allow his or her data to be used, in certain situations permitted by the LGPD;
‘Security’ means the use, by the controller and by the processor, of technical and administrative measures capable of protecting personal data from being accessed by non-authorized individuals and from accidental or criminal damage, loss, alteration, communication or dissemination;
‘Processing’ means any operation carried out using data relating to a natural person, including the collection, production, receipt, classification, use, consultation, reproduction, transmission, distribution, processing, filing, storage, elimination, evaluation, and control of information, communication, transfer, dissemination or retrieval thereof;
The ‘data subject’ means the natural person to whom the personal data being processed are related;
‘Transparency’ means a guarantee regarding the right of a data subject to clear, accurate and easily accessible information on the processing carried out and the respective processing agents, in due compliance with the rules regarding trade secrets. -
3. Objectives
3.1. Our Privacy Policy describes the practices adopted in relation to personal data collected by the companies that make up Grupo Brennand Energia.
3.2. This policy applies when general personal data and sensitive personal data are subject to processing for execution of the business processes of Grupo Brennand Energia, including collection, recording, organization, structuring, storage, adaptation, alteration, recovery, consultation, transmission, dissemination or disclosure, alignment or combination, restriction, erasure or destruction.
3.3. The aim of the Privacy Policy is to assure the data subject that data, whether general or sensitive, processed by Grupo Brennand Energia, in its capacity as controller or processor, or by legitimate third parties, will be protected and the data subject’s rights respected, in compliance with the LGPD. -
4. Processing
4.1. Grupo Brennand Energia guarantees that the data in its possession are:
a) processed lawfully, fairly and in a transparent manner;
b) collected for specified, explicit and lawful purposes and not further processed in a manner that is incompatible with these purposes;
c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed ‘data minimization’;
d) accurate and, where necessary, up to date;
e) kept in a form which permits identification of the data subjects for no longer than is necessary for the purposes for which the personal data are processed, being removed or made anonymous when this period of time has expired; and
f) kept secure and protected against unauthorized or unlawful access and/or processing, against accidental loss, destruction or damage, using a security system capable of guaranteeing integrity and confidentiality.
4.1.2. In accordance with the LGPD, the processing of general and sensitive personal data may be carried out by Grupo Brennand Energia under the following circumstances:
4.1.2.1. General Personal Data (Article 7 of the LGPD):
I. when consent has been granted by the data subject;
II. when processing is necessary for compliance with a legal or regulatory obligation;
III. when processing is necessary for the performance of a contract to which the data subject is party or in order to take steps prior to entering into such a contract;
IV. when processing is necessary for the regular exercise of rights in judicial, administrative or arbitration proceedings;
V. when processing is necessary to protect the life or physical integrity of the data subject or of another natural person; or
VI. when processing is necessary for the purposes of pursuing the legitimate interests of Grupo Brennand Energia, in its capacity as controller.
4.1.2.2. Sensitive Personal Data (Article 11 of the LGPD): I. when specified, explicit consent for certain ends has been granted by the data subject or his or her legal representative; or
II. without the consent of the data subject or his or her legal representative, for the purposes of:
a. compliance with a legal or regulatory obligation;
b. the regular exercise of rights on entering into a contract or legal, administrative or arbitration proceedings;
c. protecting the life or physical integrity of the data subject or of another natural person; or
d. ensuring prevention of fraud and upholding the security of the data subject in identification and authentication procedures for registration in electronic systems, such as the collection of biometric data.
4.2. Processing of the personal data of children and adolescents will always be carried out in their best interests and with the consent of at least one of the holders of parental responsibility over the child in cases where the data relate to minors. -
5. The rights of the data subject
Grupo Brennand Energia recognizes and respects the rights of the data subject (Articles 18, 19 and 20 of the LGPD), possessing the means necessary to be able, at any point, free of charge and in a simple manner, to exercise them, as laid out in the LGPD and applicable regulations, where necessary.
5.2. The data subject has the right to:
I. confirm the existence of processing, by way of access, if expressly requested, in a straightforward manner and free of charge, to the personal data processed, in physical or electronic format, according to the preference of the natural person to whom personal data relates, along with detailed information on the processing;
II. rectification of incomplete, inaccurate or out-of-date information;
III. anonymization, blocking or elimination of unnecessary or excessive data or data not in conformity with the LGPD, along with the elimination of data processed with consent, except in cases where the continuation of processing is required by law, as outlined in the LPGD (Article 16);
IV. request, where applicable, the creation of data portability, structured in such a way that data can be transmitted to another provider of services and/or products, according to ANPD regulations. See information on the sharing of the data processed;;
VI. refuse to grant consent and to receive information on the consequences of such refusal and also to withdraw consent and be aware of the consequences thereof; and
VII. a review of automated decisions, where applicable, with the right to clear and adequate information on the criteria adopted, whensoever these are expressly requested by the data subject.
5.3. The data subject may exercise his or her rights directly, or through a duly appointed legal representative, by way of an express request to the individual responsible for data at Grupo Brennand Energia, through the channels outlined in item 10.3 of this Privacy Policy.
5.4. In cases where Grupo Brennand Energia serves solely as the processor of the personal data processed, the data subject will be directed towards the relevant channel(s) for entering into contact with the controller as a way of ensuring that he or she is fully able to exercise his or her rights. -
6. Data collection and the purposes of data collection
6.1. General and Sensitive Personal Data may arrive at Grupo Brennand Energia by various routes and in various forms, entering our databases, to give just a few examples, because the data subject has applied for a job, registered to receive payment for some contract, signed an employment contract and so forth.
6.2. Depending on the particularities and specificities of each situation, the data collected may include: (i) general personal data, such as, but not limited to, detailed identification data (full name, social security number, identity number, address, date of birth, marital status, nationality, sex, level of education, profession, job title, e-mail address, bank data, telephone number, and so forth); (ii) sensitive personal data, such as those relating to the health of Grupo Brennand Energia employees, collected in relation to health and dental insurance, and also (iii) data relating to children and adolescents, such as full name, social security number, identification number, address, and date of birth, collected to enable the extension to these individuals of benefits granted to their parents in their capacity as employees of Grupo Brennand Energia, such as health and dental insurance plans.
6.3 The data collected are processed for clearly defined and/or authorized purposes, always with the intention of achieving a certain objective, such as, but not limited to, participation of the data subject in a staff recruitment program, registration to receive payment for some contract, signing of an employment contract, inclusion on a payroll list, deduction of taxes, or the signing of various contracts, involving service provision, rent, sales and purchases, and so forth.
6.4 When processing data collected, Grupo Brennand Energia will always establish a legal basis for processing such data, basing its operations on one of the legal bases outlined in items 4.1.2.1. and 4.1.2.2. of this Privacy Policy.
6.5 To gain access to data processed by Grupo Brennand Energia and to obtain detailed information on processing, the data subject must send an express request to the individual responsible for data at Grupo Brennand Energia, through one of the channels indicated in item 10.3 of this Privacy Policy. -
7. Sharing of data with third parties
7.1. To achieve the purpose for which they were collected, the personal data processed by Grupo Brennand Energia may also be processed by legitimate third parties, such as service providers, financial institutions, federal, State and municipal public authorities, autonomous, quasi- autonomous and hybrid organizations, in all cases in compliance with the restrictions established by the LGPD.
7.2. As the controller and organization responsible for processing of the data that it collects, Grupo Brennand Energia, wherever applicable, will require judiciously selected suppliers, partners and formally contracted contributors, to operate in a secure manner and adopt all the security and technical measures necessary for ensuring compliance with legislation relating to the protection and privacy of personal data and the rules established in this Privacy Policy.
7.3. In addition to suppliers, partners and contributors, Grupo Brennand Energia may share the personal data processed with the appropriate legal, administrative or government authorities, whensoever this is required or ordered by a court of law. -
8. Data storage and record keeping
8.1. The data processed by Grupo Brennand Energia will be stored for a period of time limited to that necessary for achieving the desired purpose, in a secure and controlled environment in compliance with security requirements, retention of said data being authorized for the purposes outlined in the LGPD (Article 16).
8.2 The data processed by Grupo Brennand Energia will be accessed solely by duly authorized staff members, showing due respect for the principles of necessity, purpose limitation (proportionality and finality), security and appropriateness, and due commitment to the confidentiality and preservation of privacy outlined in the terms of this Privacy Policy and in the LGPD.
8.3. Storage of the data processed is preferably carried out by servers located in Brazil, in a format conducive to free exercise of the right to access. On occasions, the data processed may be processed using servers located in other countries, according to the requirements of the infrastructure provider. In all cases, this will be carried out in due accordance with Brazilian legislation and the provisions laid out in Article 33 of the LGPD, governing the international transfer of data.
8.4. The conclusion of data processing will be followed by the elimination of the data processed using one of the secure disposal methods available, such as direct deletion of the database, anonymization of information, data masking and destruction, in the case of physical data, and will occur when:
I. it has been ascertained that the purposes have been achieved or that the data have ceased to be necessary for or pertinent to achievement of the purposes specified;
II. the legally authorized time limitation has expired;
III. the data subject has expressly requested this, including by invoking his or her right to withdraw consent; or
IV. the ANPD has determined a violation of one of the provisions of the LGPD to have occurred.
8.5. Notwithstanding the provision in the foregoing item, Grupo Brennand Energia may, in its capacity as controller, provided it is in observance of Article 16 of the LGPD, retain the data undergoing processing for the purposes of fulfilling a legal or regulatory obligation or for its own exclusive use. -
9. Security and good practices
9.1 The systems used by Grupo Brennand Energia are structured in such a way as to assure the adoption of adequate technical measures to ensure the security and confidentiality of the general and sensitive personal data processed.
9.2 Technical measures are adopted that are capable of protecting personal data from unauthorized access and accidental or unlawful destruction, loss, alteration, communication or dissemination of personal data processed.
9.3 Security is incorporated into the systems used by Grupo Brennand Energia throughout the processing of personal data.
9.4 In addition to data processed in its capacity as controller, Grupo Brennand Energia also requires its partners, suppliers and contributors to take care to ensure ethical, secure, transparent and responsible processing of data, with a view to ensuring that integrity is safeguarded throughout the data processing lifecycle.
9.5 Despite adopting the best practices and using modern advanced security systems, such systems are not immune to occasional attacks or unlawful interception of data transmitted by data subjects by way of e-mail and/or any other means involving the worldwide web of computers, although this does not nullify or in any way diminish the commitment of Grupo Brennand Energia to periodically updating and improvement of its rules of good practice.
9.6. To counter any violation and/or leak of data that may pose a risk of harm or cause actual damage to the data subject, the organizations that form part of Grupo Brennand Energia possess adequate management procedures and plans for responding to incidents of this nature. These procedures include sending notification to the ANPD and to the data subject, when applicable, as outlined in detail in the Personal Data Security Incident Response Plan.
9.7. In order for Grupo Brennand Energia to be able to guarantee confidentiality and protection of the personal data processed, it is recommended that the data subject adopt certain precautions, such as using only the channels of communications indicated in this Privacy Policy, checking the source of messages received, updating personal data in cases where some alteration has occurred (by way of a request addressed to the data processing officer), and avoiding sharing information enabling access to the channels available (login name and password), where applicable. -
10. The personal data processing officer and channels of communication
10.1. The personal data processing officer is the individual appointed by the controller to act as a channel of communication between the controller, data subjects and the ANPD.
10.2. To this end, the individual responsible for data shall:
I – receive complaints and communications from data subjects, provide clarification and adopt appropriate measures to address such complaints and communications;
II – receive communications from the ANPD and adopt appropriate measures in response;
III – provide guidance for Grupo Brennand Energia employees and contractors regarding measures to be taken in relation to personal data protection; and
IV – perform any other functions determined by the controller or established in complementary legislation.
10.3. In order that the data subject may, at any point, in a simple, straightforward manner and free of charge, exercise his or her rights, any doubts, complaints and/or requests should be addressed to the individual responsible for data identified below, who is duly authorized by Grupo Brennand Energia to provide clarification and/or adopt the appropriate measures necessary regarding processing of personal data:
Data Officer: Reinaldo Correia Torreão Filho
Privacy portal: www.brennandenergia.com.br
e-mail: privacidade@brennandenergia.com.br -
11. Alterations to Privacy Policy
11.1. The content of this Privacy Policy, last updated on 03.03.2022, may be altered at any time, to address changing purposes and/or needs or to ensure compliance with the most up-to-date legislation.
If you wish, you can download our Privacy Policy here